[Gmod-ajax] JBrowse - access control docs incomplete

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

[Gmod-ajax] JBrowse - access control docs incomplete

Keiran Raine
Hi all,

Can someone please provide more information as to how you get JBrowse to require a login cookie.  The docs linked don’t give any information:


I just need to know:

  1. How do I tell JBrowse that it should be checking for a login (I assume there’s a config value to be set)
  2. What value needs to be set in the cookie (I can see the cookie and that it has picked up my manually configured ‘documentDomain’)



If someone can point me in the correct direction I’m happy to update documentation with a proven example.

Thanks,

Keiran Raine
Principal Bioinformatician
Cancer Genome Project
Wellcome Trust Sanger Institute

Tel:+44 (0)1223 834244 Ext: 7703
Office: H104


-- The Wellcome Trust Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is 215 Euston Road, London, NW1 2BE.

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
_______________________________________________
Gmod-ajax mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/gmod-ajax
Reply | Threaded
Open this post in threaded view
|

Re: JBrowse - access control docs incomplete

Raymond Wan-2
Hi Keiran,

I'm not sure if someone more experienced replied to you yet.  But for
what it's worth, this is what I did with CAS.

It looked like everything that JBrowse does is within index.php .
(Someone correct me if I'm wrong.)  So, if I put an

<?php
if (authenticated) {
  //  All this from index.php
?>
    <div id="GenomeBrowser" style="height: 100%; width: 100%; padding:
0; border: 0;"></div>
    <div style="display: none">JBrowseDefaultMainPage</div>
<?php
}
else {
  //  Show some error message and redirect to a CAS login page
}
?>

The "authenticated" part is where I call a CAS-based function that
returns a Boolean variable.  I presume you can replace that with
something that queries an SQL database and/or a cookie.  (Many web
pages describe how to do this better than I can.)

I mentioned before that I didn't know if this was fool-proof.  I don't
know if someone can bypass this page to see the data.  It's on my
to-do list...


On Wed, Jun 8, 2016 at 9:31 PM, Keiran Raine <[hidden email]> wrote:
> Can someone please provide more information as to how you get JBrowse to require a login cookie.  The docs linked don’t give any information:
>
> http://gmod.org/wiki/JBrowse_Configuration_Guide#Authentication_and_Access_Control
>
> I just need to know:
>
> How do I tell JBrowse that it should be checking for a login (I assume there’s a config value to be set)
> What value needs to be set in the cookie (I can see the cookie and that it has picked up my manually configured ‘documentDomain’)


What I said above wasn't quite what you were looking for.  If there is
something built-in that can be turned on by setting a value in
jbrowse.conf (for example), that would be cool.

HTTP Basic authentication might be better since you can request a
password for every file within a directory.  I chose CAS instead
because  I didn't want to manage user accounts...

Ray

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
_______________________________________________
Gmod-ajax mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/gmod-ajax
Reply | Threaded
Open this post in threaded view
|

Re: JBrowse - access control docs incomplete

Keiran Raine
Hi Raymond,

Thank you for getting back to me, unfortunately no-one else has commented.

With your initial pointer I'm taking a look at phpCAS and will get back to the list once I have a more detailed example.


Just waiting for confirmation of our CAS server details so I can start testing...

Regards,

Keiran Raine
Principal Bioinformatician
Cancer Genome Project
Wellcome Trust Sanger Institute

Tel:+44 (0)1223 834244 Ext: 7703
Office: H104

On 13 Jun 2016, at 02:28, Raymond Wan <[hidden email]> wrote:

Hi Keiran,

I'm not sure if someone more experienced replied to you yet.  But for
what it's worth, this is what I did with CAS.

It looked like everything that JBrowse does is within index.php .
(Someone correct me if I'm wrong.)  So, if I put an

<?php
if (authenticated) {
 //  All this from index.php
?>
   <div id="GenomeBrowser" style="height: 100%; width: 100%; padding:
0; border: 0;"></div>
   <div style="display: none">JBrowseDefaultMainPage</div>
<?php
}
else {
 //  Show some error message and redirect to a CAS login page
}
?>

The "authenticated" part is where I call a CAS-based function that
returns a Boolean variable.  I presume you can replace that with
something that queries an SQL database and/or a cookie.  (Many web
pages describe how to do this better than I can.)

I mentioned before that I didn't know if this was fool-proof.  I don't
know if someone can bypass this page to see the data.  It's on my
to-do list...


On Wed, Jun 8, 2016 at 9:31 PM, Keiran Raine <[hidden email]> wrote:
Can someone please provide more information as to how you get JBrowse to require a login cookie.  The docs linked don’t give any information:

http://gmod.org/wiki/JBrowse_Configuration_Guide#Authentication_and_Access_Control

I just need to know:

How do I tell JBrowse that it should be checking for a login (I assume there’s a config value to be set)
What value needs to be set in the cookie (I can see the cookie and that it has picked up my manually configured ‘documentDomain’)


What I said above wasn't quite what you were looking for.  If there is
something built-in that can be turned on by setting a value in
jbrowse.conf (for example), that would be cool.

HTTP Basic authentication might be better since you can request a
password for every file within a directory.  I chose CAS instead
because  I didn't want to manage user accounts...

Ray


-- The Wellcome Trust Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is 215 Euston Road, London, NW1 2BE.

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
_______________________________________________
Gmod-ajax mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/gmod-ajax
Reply | Threaded
Open this post in threaded view
|

Re: JBrowse - access control docs incomplete

Raymond Wan-2
Hi Keiran,


On Mon, Jun 13, 2016 at 9:09 PM, Keiran Raine <[hidden email]> wrote:
> With your initial pointer I'm taking a look at phpCAS and will get back to
> the list once I have a more detailed example.
>
> https://github.com/Jasig/phpCAS/
>
> Just waiting for confirmation of our CAS server details so I can start
> testing...


If you are using CAS, then I can do a bit better and fill in the
blanks for you.  I wasn't purposely withholding information -- after
all, I worked out what I had to do from the phpCAS examples.  But, I
figured if you weren't using CAS, then I shouldn't bore you with the
details.

Of course, the standard disclaimer applies -- I didn't really know
what I was doing, so if you (or anyone else here) sees an obvious bug,
please let me / us know.  Our data isn't [at the moment] highly
secretive, so I can be a little slack for now.

Indeed, my starting point was this:
https://wiki.jasig.org/display/CASC/phpCAS .  Alternatives using
Apache's mod_auth_cas, Java, and Perl's AuthCAS module were also
suggested by our administrators.

In short, this is index.php, which was a modification of JBrowse's
index.html.  XXX-about.php gives information about our JBrowse
instance.  config.php is the same as the phpCAS example and CAS.php is
from the phpCAS library.  You'll need to plug in values into
config.php .


-----
<?php

// Load the settings from the central config file
require_once 'config.php';
// Load the CAS lib
require_once $phpcas_path . '/CAS.php';

// Enable debugging
// phpCAS::setDebug();

// Initialize phpCAS
phpCAS::client (CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context);

// For production use set the CA certificate that is the issuer of the cert
// on the CAS server and uncomment the line below
phpCAS::setCasServerCACert ($cas_server_ca_cert_path);

// For quick testing you can disable SSL validation of the CAS server.
// THIS SETTING IS NOT RECOMMENDED FOR PRODUCTION.
// VALIDATING THE CAS SERVER IS CRUCIAL TO THE SECURITY OF THE CAS PROTOCOL!
// phpCAS::setNoCasServerValidation();

if (isset($_REQUEST['logout'])) {
    phpCAS::logout();
}
if (isset($_REQUEST['login'])) {
    // handle incoming logout requests
    phpCAS::handleLogoutRequests (true);
    phpCAS::forceAuthentication ();
}

// check CAS authentication
$auth = phpCAS::checkAuthentication();

?>
<!DOCTYPE html>
<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
    <title>JBrowse</title>
    <link rel="stylesheet" type="text/css" href="css/genome.css">
    <script type="text/javascript">
    ...SAME AS BEFORE...
    </script>
    <script type="text/javascript" src="src/dojo/dojo.js"></script>
    <script type="text/javascript" src="src/JBrowse/init.js"></script>
    <script type="text/javascript">
    ...SAME AS BEFORE...
    </script>
  <title>XXX</title>
  </head>

  <body>
<?php
if ($auth) {
        ?>
    <div id="GenomeBrowser" style="height: 100%; width: 100%; padding:
0; border: 0;"></div>
    <div style="display: none">JBrowseDefaultMainPage</div>

    <p><a href="XXX-about.php" target="_blank">About this genome browser</a></p>

    <p>Currently logged in as:  <strong><?php echo phpCAS::getUser();
?>@XXX</strong>.</p>
    <p><a href="https://XXX.authsite.XXX/cas/logout?url=http://XXX.mysite.XXX/jbrowse/">Logout</a>
(Closing the browser is also required.)</p>

    <?php
} else {
                                        ?>
    <h1>XXX</h1>

    <h2>Authentication Required</h2>
    <p>Access to the system requires you to authenticate yourself with
the our Central Authentication Service:</p>
    <p><a href="?login=">Login</a></p>
    <p>You can logout using the link at the <strong>bottom</strong> of
the genome browser, followed by closing your web browser.</p>
    <?php
}
                                      ?>
  </body>
</html>
-----


Perhaps it's somewhat obvious, but I started off with a "Hello World"
that demonstrated authentication was working.  After that, it was a
matter of just combining that with JBrowse's index.html .

I hope this helps!

Ray

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
_______________________________________________
Gmod-ajax mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/gmod-ajax
Reply | Threaded
Open this post in threaded view
|

Re: JBrowse - access control docs incomplete

Keiran Raine
Hi Raymond,

I've been having a poke/thing on this while waiting for our systems team to get back to me.

I don't think you are securing the underlying data in this way, just preventing users from accessing the web front end.  Without modifications to the server configuration it doesn't know if it should be serving the underlying data.

The web-server backing your JBrowse instance basically serves files (or chunks of files) to the requestor.  In a default nginx setup you can't list the content of a directory, but you can determine if it exists, e.g.

Area that doesn't exist:
your.jbrowse/JBrowse/wibble = 404 Not Found

but a real location will give:
your.jbrowse/JBrowse/sample_data/json/modencode/ = 403 Forbidden

If someone really wanted to be malicious knowing that all datasets contain a trackList.json you can pull that file and use it to identify the paths to all your underlying datafiles:
curl -sSL http://your.jbrowse/JBrowse/sample_data/json/modencode/trackList.json | grep -P '(urlTemplate|type)' | head -n 4
         "urlTemplate" : "seq/{refseq}/",
         "type" : "SequenceTrack",
         "urlTemplate" : "tracks/volvox_microarray.wig/{refseq}/trackData.json",
         "type" : "ImageTrack.Wiggle",

Obviously this is more concerning when looking config files containing VCF/BAM data but this gives the idea.  The impact of this depends on if the server is accessible publicly and how sensitive the underlying data is.

I've had a look at a few nginx implementations that show the changes required on the server side to secure all routes:


I'll be trying out the LDAP route hopefully in the next few weeks,

Regards,

Keiran Raine
Principal Bioinformatician
Cancer Genome Project
Wellcome Trust Sanger Institute

Tel:+44 (0)1223 834244 Ext: 7703
Office: H104

On 13 Jun 2016, at 17:04, Raymond Wan <[hidden email]> wrote:

Hi Keiran,


On Mon, Jun 13, 2016 at 9:09 PM, Keiran Raine <[hidden email]> wrote:
With your initial pointer I'm taking a look at phpCAS and will get back to
the list once I have a more detailed example.

https://github.com/Jasig/phpCAS/

Just waiting for confirmation of our CAS server details so I can start
testing...


If you are using CAS, then I can do a bit better and fill in the
blanks for you.  I wasn't purposely withholding information -- after
all, I worked out what I had to do from the phpCAS examples.  But, I
figured if you weren't using CAS, then I shouldn't bore you with the
details.

Of course, the standard disclaimer applies -- I didn't really know
what I was doing, so if you (or anyone else here) sees an obvious bug,
please let me / us know.  Our data isn't [at the moment] highly
secretive, so I can be a little slack for now.

Indeed, my starting point was this:
https://wiki.jasig.org/display/CASC/phpCAS .  Alternatives using
Apache's mod_auth_cas, Java, and Perl's AuthCAS module were also
suggested by our administrators.

In short, this is index.php, which was a modification of JBrowse's
index.html.  XXX-about.php gives information about our JBrowse
instance.  config.php is the same as the phpCAS example and CAS.php is
from the phpCAS library.  You'll need to plug in values into
config.php .


-----
<?php

// Load the settings from the central config file
require_once 'config.php';
// Load the CAS lib
require_once $phpcas_path . '/CAS.php';

// Enable debugging
// phpCAS::setDebug();

// Initialize phpCAS
phpCAS::client (CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context);

// For production use set the CA certificate that is the issuer of the cert
// on the CAS server and uncomment the line below
phpCAS::setCasServerCACert ($cas_server_ca_cert_path);

// For quick testing you can disable SSL validation of the CAS server.
// THIS SETTING IS NOT RECOMMENDED FOR PRODUCTION.
// VALIDATING THE CAS SERVER IS CRUCIAL TO THE SECURITY OF THE CAS PROTOCOL!
// phpCAS::setNoCasServerValidation();

if (isset($_REQUEST['logout'])) {
   phpCAS::logout();
}
if (isset($_REQUEST['login'])) {
   // handle incoming logout requests
   phpCAS::handleLogoutRequests (true);
   phpCAS::forceAuthentication ();
}

// check CAS authentication
$auth = phpCAS::checkAuthentication();

?>
<!DOCTYPE html>
<html>
 <head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
   <title>JBrowse</title>
   <link rel="stylesheet" type="text/css" href="css/genome.css">
   <script type="text/javascript">
   ...SAME AS BEFORE...
   </script>
   <script type="text/javascript" src="src/dojo/dojo.js"></script>
   <script type="text/javascript" src="src/JBrowse/init.js"></script>
   <script type="text/javascript">
   ...SAME AS BEFORE...
   </script>
 <title>XXX</title>
 </head>

 <body>
<?php
if ($auth) {
       ?>
   <div id="GenomeBrowser" style="height: 100%; width: 100%; padding:
0; border: 0;"></div>
   <div style="display: none">JBrowseDefaultMainPage</div>

   <p><a href="XXX-about.php" target="_blank">About this genome browser</a></p>

   <p>Currently logged in as:  <strong><?php echo phpCAS::getUser();
?>@XXX</strong>.</p>
   <p><a href="https://XXX.authsite.XXX/cas/logout?url=http://XXX.mysite.XXX/jbrowse/">Logout</a>
(Closing the browser is also required.)</p>

   <?php
} else {
                                       ?>
   <h1>XXX</h1>

   <h2>Authentication Required</h2>
   <p>Access to the system requires you to authenticate yourself with
the our Central Authentication Service:</p>
   <p><a href="?login=">Login</a></p>
   <p>You can logout using the link at the <strong>bottom</strong> of
the genome browser, followed by closing your web browser.</p>
   <?php
}
                                     ?>
 </body>
</html>
-----


Perhaps it's somewhat obvious, but I started off with a "Hello World"
that demonstrated authentication was working.  After that, it was a
matter of just combining that with JBrowse's index.html .

I hope this helps!

Ray


-- The Wellcome Trust Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is 215 Euston Road, London, NW1 2BE.

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
_______________________________________________
Gmod-ajax mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/gmod-ajax
Reply | Threaded
Open this post in threaded view
|

Re: JBrowse - access control docs incomplete

Raymond Wan-2
Hi Keiran,


On Tue, Jun 14, 2016 at 4:38 PM, Keiran Raine <[hidden email]> wrote:
> I've been having a poke/thing on this while waiting for our systems team to
> get back to me.
>
> I don't think you are securing the underlying data in this way, just
> preventing users from accessing the web front end.  Without modifications to
> the server configuration it doesn't know if it should be serving the
> underlying data.


Yes, I don't think CAS or any authentication system using cookies can
protect the underlying data.

I think you would have to add something like this to the server
configuration (using Apache 2.4 syntax):

<Directory "/var/www/html/jbrowse/">
    ##  Allow access to everyone
    Require all granted

    # Disable access if the request is a set of files
    <FilesMatch "(\.json|\.txt|\.jsonz|\.txtz|\.bam|\.bai\.htaccess)$">
      Require all denied
    </FilesMatch>
</Directory>

[NB:  Untested code above as I haven't installed it on our system yet.]


> Obviously this is more concerning when looking config files containing
> VCF/BAM data but this gives the idea.  The impact of this depends on if the
> server is accessible publicly and how sensitive the underlying data is.
>
> I've had a look at a few nginx implementations that show the changes
> required on the server side to secure all routes:


So, I should clarify what I said earlier of what I didn't test.

I have played with some content management systems like Joomla and
WordPress and even though both have login screens, you still need to
modify the web server's configuration files (i.e., *.conf) to make it
secure.  Nevermind leaking data...within days or weeks, your site
could probably get hacked.

What I hadn't tested was whether the CAS code in the previous e-mail +
the server code above can "secure" the system without losing any
functionality.  I *think* it might work because index.php will compile
on the server side and incorporate all of the data before sending to
the user.  i.e., the user's web browser never really needs to directly
request a .json file or a .txt file.

But.....I haven't tested this yet since I didn't install the above
Apache code yet.  (The system I'm running this on is already blocking
all external IP addresses already.  I suppose the login requirement is
actually unnecessary.)


> CAS: https://github.com/racx/cas-auth-lua-nginx
> LDAP: https://github.com/kvspb/nginx-auth-ldap


Thanks!  I will look at them later.  But I did notice the CAS link has
this in the README:

"This is a POC project of a Lua module to authenticate CAS users on
NGINX before reaching the application."

I'm not sure if this is something I need.  Our institute's IT
department has already set up CAS for the entire university to use.
In our case, if a user visits our JBrowse site and is not yet
authenticated,  the code I sent to you would kick them off to the IT
department's authentication system.  They authenticate them and then
boots them back to us.  Each time index.php is loaded, we're checking
if the cookie with that centralized system is still valid (i.e., it
might have expired).

So, user creation and user authentication is deferred to this
centralized system.  All I'm doing is checking if the cookie is valid.

It's possible that what I'm doing is further "downstream" from what
you're doing if the CAS authentication isn't being handled by another
system already...

Ray

PS:  Disclaimer...my understanding of how CAS works; hope it's correct!

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
_______________________________________________
Gmod-ajax mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/gmod-ajax